Knowledge Search


×
 

[J/SRX] How do I tell if a VPN Tunnel SA (Security Association) is active?

  [KB10090] Show Article Properties


Summary:

Determining if the SA is active will help you discover whether the tunnel is up or down.

This article describes how to verify if the VPN has been established by verifying the output of show security ike security-associations and show security ipsec security-associations.

Symptoms:

Verify if a VPN SA is active by reviewing the output of the commands show security ike security-associations and show security ipsec security-associations.

Solution:

To determine if the SA is active and whether the tunnel is up or down, check the status of IKE Phase I and IKE Phase 2 using the show security ike security-associations and show security ipsec security-associations commands as follows:
 

Step 1.  First, check the status of IKE Phase 1: 

CLI:
show security ike security-associations

J-Web:
Select Monitor > IPSec VPN > Phase I
 

 

user@CORPORATE> show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
1       2.2.2.2         UP     744a594d957dd513  1e1307db82f58387  Main
2       3.3.3.3         UP     744a594d957dd513  1e1307db82f58387  Main


Locate the entry for the Remote Address of the VPN in question and verify that the State is UP.
The State field shows the status of the Phase 1 SA and will show the state as UP or DOWN.
For more information on the show security ike security-associations command output, refer to show security ike security-associations.

If the Remote Address is not displayed refer to KB10100 - Resolution Guide - How to troubleshoot a VPN tunnel that won't establish to investigate the cause of the VPN establishment issue.


 

Step 2.  If IKE Phase 1 is UP, then check the status of IKE Phase 2 (SA):

CLI:
show security ipsec security-associations

J-Web:
Select Monitor > IPSec VPN > Phase II

 


user@CORPORATE> show security ipsec security-associations  
  total configured sa: 2
  ID     Gateway         Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <32785 2.2.2.2         1398  ESP:3des/sha1   29e26eba 28735/unlim   -   0
  >32785 2.2.2.2         1398  ESP:3des/sha1   6d4e790b 28735/unlim   -   0

  total configured sa: 2
  ID     Gateway         Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <32786 3.3.3.3         500   ESP:3des/sha1   5c13215d 28782/unlim   U   0
  >32786 3.3.3.3         500   ESP:3des/sha1   18f67b48 28782/unlim   U   0

 


Locate the entry for the Remote Address of the VPN in question.  If the remote gateway is not displayed, then the VPN Phase 2 has not established and is currently down.  Refer to KB10100 - Resolution Guide - How to troubleshoot a VPN tunnel that won't establish to investigate the cause of the VPN establishment issue
 

If the VPN Gateway is listed, the tunnel has established and is UP.  The output will display two lines for each VPN tunnel displaying the SPI information for each direction of traffic.

The 'MON' field is used by VPN Monitoring to reflect the status of the tunnel and will have one of the following values.

  • - : (hyphen) The VPN tunnel is Active, and the VPN Monitor optional feature is not configured.
  • U: (UP) The VPN tunnel is Active, and the link (detected through the VPN Monitor) is UP.
  • D: (DOWN) The VPN tunnel is Active, and the link (detected through the VPN Monitor) is DOWN. 

 For more information on the show security ipsec security-associations command output, refer to show security ipsec security-associations.

 

Modification History:
2018-09-06: Corrected typo in the Related Links section for the SRX Jumpstation
Related Links: